Inside Webster’s Lab: Creating Active Directory Organizational Units, Users, Groups and Computers Using PowerShell

OK, I heard from enough of you that wanted me to do this in PowerShell instead of my batch file. Here is the original article using built-in Windows utilities.  This article will show the original batch file converted to PowerShell.

I created four variables.  One for the domain name, one for the top-level domain identifier, one to determine if you want the OUs protected from accidental deletion, and the last to hold the initial password as a secure string.

The structure of the script is the same as the original batch file:

  • Creates the OUs
  • Creates the security groups
  • Creates the user accounts
  • Adds the user accounts into the security groups
  • Creates the computer accounts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
$ADDomain = "labaddomain"
$TLD = "com"
$Protect = $False
$CryptoPwd = (ConvertTo-SecureString -AsPlainText "FakePwd" -Force)
#Create OUs
New-ADOrganizationalUnit -Name "Lab" `
-Path "dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose
New-ADOrganizationalUnit -Name "Accounts" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose
New-ADOrganizationalUnit -Name "Admin" `
-Path "ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose
New-ADOrganizationalUnit -Name "Service" `
-Path "ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose
New-ADOrganizationalUnit -Name "User" `
-Path "ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose
New-ADOrganizationalUnit -Name "Desktops" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose
New-ADOrganizationalUnit -Name "Admin" `
-Path "ou=Desktops,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose
New-ADOrganizationalUnit -Name "XD76" `
-Path "ou=Desktops,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose
New-ADOrganizationalUnit -Name "Groups" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose
New-ADOrganizationalUnit -Name "Admin" `
-Path "ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose
New-ADOrganizationalUnit -Name "Desktops" `
-Path "ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose
New-ADOrganizationalUnit -Name "User" `
-Path "ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose
New-ADOrganizationalUnit -Name "Servers" `
-Path "ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose
New-ADOrganizationalUnit -Name "PVS" `
-Path "ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose
New-ADOrganizationalUnit -Name "XD76" `
-Path "ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" `
-ProtectedFromAccidentalDeletion $Protect -verbose
#Create AD security groups
New-ADGroup -Name "LocalAdmins" -SamAccountName LocalAdmins `
-GroupCategory Security -GroupScope Global `
-DisplayName "Group for users who need local admin rights" `
-Path "ou=Admin,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Description "Group for users who need local admin rights" -verbose
New-ADGroup -Name "XDUsers" -SamAccountName XDUsers `
-GroupCategory Security -GroupScope Global `
-DisplayName "Group for users who need XenDesktop desktop access" `
-Path "ou=User,ou=Groups,ou=Lab,dc=$ADDomain,dc=$TLD" `
-Description "Group for users who need XenDesktop desktop access" -verbose
#Create user accounts
New-ADUser -Name svc_ctxpvs -AccountPassword $CryptoPwd `
-CannotChangePassword $True -ChangePasswordAtLogon $False `
-Description "Citrix PVS Service Account" `
-DisplayName "Citrix PVS Service Account" -Enabled $True `
-PasswordNeverExpires $True `
–Path "ou=Service,ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "svc_ctxpvs" –UserPrincipalName "svc_ctxpvs@$ADDomain.$TLD" `
-verbose
New-ADUser -Name svc_ctxsqldb -AccountPassword $CryptoPwd `
-CannotChangePassword $True -ChangePasswordAtLogon $False `
-Description "Citrix SQL DBA Service Account" `
-DisplayName "Citrix SQL DBA Service Account" -Enabled $True `
-PasswordNeverExpires $True `
–Path "ou=Service,ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "svc_ctxsqldb" –UserPrincipalName "svc_ctxsqldb@$ADDomain.$TLD" `
-verbose
New-ADUser -Name User1 -AccountPassword $CryptoPwd `
-CannotChangePassword $True -ChangePasswordAtLogon $False `
-Description "User1 PvD" `
-DisplayName "User1" -Enabled $True `
-PasswordNeverExpires $True `
–Path "ou=User,ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "User1" –UserPrincipalName "User1@$ADDomain.$TLD" `
-verbose
New-ADUser -Name User2 -AccountPassword $CryptoPwd `
-CannotChangePassword $True -ChangePasswordAtLogon $False `
-Description "User2 PvD" `
-DisplayName "User2" -Enabled $True `
-PasswordNeverExpires $True `
–Path "ou=User,ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "User2" –UserPrincipalName "User2@$ADDomain.$TLD" `
-verbose
New-ADUser -Name User3 -AccountPassword $CryptoPwd `
-CannotChangePassword $True -ChangePasswordAtLogon $False `
-Description "User3 PvD" `
-DisplayName "User3" -Enabled $True `
-PasswordNeverExpires $True `
–Path "ou=User,ou=Accounts,ou=Lab,dc=$ADDomain,dc=$TLD" `
-SamAccountName "User3" –UserPrincipalName "User3@$ADDomain.$TLD" `
-verbose
#all users in the Lab/Accounts/User OU get added to the XDUsers security group
$Users = get-aduser `
-searchbase "ou=user,ou=accounts,ou=lab,dc=$ADDomain,dc=$tld" `
-filter *
Add-ADGroupMember -Identity XDUsers -Members $Users
#any user in the Lab/Accounts/User OU that has PvD in the description
#gets added to the LocalAdmins security group
$Users = get-aduser `
-searchbase "ou=user,ou=accounts,ou=lab,dc=$ADDomain,dc=$tld" `
-filter 'Description -like "*PvD*"'
Add-ADGroupMember -Identity LocalAdmins -Members $Users
#Create AD computer accounts
New-ADComputer -Name PVS76 -SamAccountName PVS76 -Description "PVS76" `
-Path "ou=PVS,ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" -Enabled $True -verbose
New-ADComputer -Name XD76 -SamAccountName XD76 -Description "XD76" `
-Path "ou=XD76,ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" -Enabled $True -verbose
New-ADComputer -Name Director -SamAccountName Director -Description "Director" `
-Path "ou=XD76,ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" -Enabled $True -verbose
New-ADComputer -Name StoreFront -SamAccountName StoreFront -Description "StoreFront" `
-Path "ou=XD76,ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" -Enabled $True -verbose
New-ADComputer -Name SQL -SamAccountName SQL -Description "SQL" `
-Path "ou=XD76,ou=Servers,ou=Lab,dc=$ADDomain,dc=$TLD" -Enabled $True -verbose

I named the script CreateLab.ps1.

Figure 1 shows my Active Directory structure before running the script.

Figure 1
Figure 1

Figure 2 shows the results of running the PowerShell script.

Figure 2
Figure 2

Figures 3 through 13 show the AD structure after running the script (which matches running the batch file).

Figure 3
Figure 3
Figure 4
Figure 4
Figure 5
Figure 5
Figure 6
Figure 6
Figure 7
Figure 7
Figure 8
Figure 8
Figure 9
Figure 9
Figure 10
Figure 10
Figure 11
Figure 11
Figure 12
Figure 12
Figure 13
Figure 13

There you go, a PowerShell version of the batch file I use to create my lab’s AD structure.

You can get a PS1 version here and a TXT version here.

Thanks

Webster

2 Comments

  1. robert jaudon

    Carl,

    I didn’t mean for you to burn your free time to convert the batch file to PS!!! Cool that you provided the PS script to accomplish the same as the batch file. I intend to test this sucker out.

    Thanks for providiing your knowledge…always a great resource.

    Rob

    • Carl Webster

      Only took an hour to do it.

      Webster

Comments are closed